Security update for apache2 SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:2549-1 Final 1 1 2017-09-21T18:44:58Z current 2017-09-21T18:44:58Z 2017-09-21T18:44:58Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for apache2 This update for apache2 fixes the following security issue: - CVE-2017-9798: Prevent use-after-free use of memory that allowed for an information leak via OPTIONS (bsc#1058058). This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-updates/2017-09/msg00095.html E-Mail link for openSUSE-SU-2017:2549-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 apache2-2.4.23-16.1 apache2-devel-2.4.23-16.1 apache2-doc-2.4.23-16.1 apache2-event-2.4.23-16.1 apache2-example-pages-2.4.23-16.1 apache2-prefork-2.4.23-16.1 apache2-utils-2.4.23-16.1 apache2-worker-2.4.23-16.1 apache2-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-devel-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-doc-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-event-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-example-pages-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-prefork-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-utils-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-worker-2.4.23-16.1 as a component of openSUSE Leap 42.2 apache2-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-devel-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-doc-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-event-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-example-pages-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-prefork-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-utils-2.4.23-16.1 as a component of openSUSE Leap 42.3 apache2-worker-2.4.23-16.1 as a component of openSUSE Leap 42.3 Apache httpd allows remote attackers to read secret data from process memory if the Limit directive can be set in a user's .htaccess file, or if httpd.conf has certain misconfigurations, aka Optionsbleed. This affects the Apache HTTP Server through 2.2.34 and 2.4.x through 2.4.27. The attacker sends an unauthenticated OPTIONS HTTP request when attempting to read secret data. This is a use-after-free issue and thus secret data is not always sent, and the specific data depends on many factors including configuration. Exploitation with .htaccess can be blocked with a patch to the ap_limit_section function in server/core.c. CVE-2017-9798 openSUSE Leap 42.2:apache2-2.4.23-16.1 openSUSE Leap 42.2:apache2-devel-2.4.23-16.1 openSUSE Leap 42.2:apache2-doc-2.4.23-16.1 openSUSE Leap 42.2:apache2-event-2.4.23-16.1 openSUSE Leap 42.2:apache2-example-pages-2.4.23-16.1 openSUSE Leap 42.2:apache2-prefork-2.4.23-16.1 openSUSE Leap 42.2:apache2-utils-2.4.23-16.1 openSUSE Leap 42.2:apache2-worker-2.4.23-16.1 openSUSE Leap 42.3:apache2-2.4.23-16.1 openSUSE Leap 42.3:apache2-devel-2.4.23-16.1 openSUSE Leap 42.3:apache2-doc-2.4.23-16.1 openSUSE Leap 42.3:apache2-event-2.4.23-16.1 openSUSE Leap 42.3:apache2-example-pages-2.4.23-16.1 openSUSE Leap 42.3:apache2-prefork-2.4.23-16.1 openSUSE Leap 42.3:apache2-utils-2.4.23-16.1 openSUSE Leap 42.3:apache2-worker-2.4.23-16.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-updates/2017-09/msg00095.html https://www.suse.com/security/cve/CVE-2017-9798.html CVE-2017-9798 https://bugzilla.suse.com/1058058 SUSE Bug 1058058 https://bugzilla.suse.com/1060757 SUSE Bug 1060757 https://bugzilla.suse.com/1077582 SUSE Bug 1077582 https://bugzilla.suse.com/1078450 SUSE Bug 1078450 https://bugzilla.suse.com/1089997 SUSE Bug 1089997